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Malware Mines, Steals Cryptocurrencies From 
Victims 

By Tim Hux (https://securingtomorrow.mcafee.com/author/tim-hux/) and Norris Brazier 
(https://securingtomorrow.mcafee.com/author/norris-brazier/) on Nov 22, 2017 
(https://securingtomorrow.mcafee.eom/2017/11/) 

How's your Bitcoin balance? Interested in earning more? The value of cybercurrency is going up. One way to increase your 
holdings is by "mining," (https://www.bitcoinmining.com/) which is legal as long as it is done with the proper permissions. 
Using your own mining equipment or establishing a formal agreement for outsourcing are two methods. Hardware vendors 
such as Asus manufacture motherboards that are specifically tailored for mining cryptocurrency. 

Bitcoin mining involves complex mathematical calculations that are carried out by a computer's hardware and result in 
transaction records. These records are added to the Bitcoin public ledger, the "blockchain." The ledger keeps track of all 
transactions and verifies these transactions are legitimate. 

Cybercriminals are also attracted to online currency, which fuels much of their business, including malware purchases and 
ransomware payments. Cybercriminals would rather find outside computing power instead of using their own equipment 
because the price of a dedicated mining machine could exceed US$5,000. Cybercriminals often seek to bypass the agreement 
phase and maliciously introduce malware that will either use a victim's computing power to mine for coins or simply locate 
and steal the user's cryptocurrency. 
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Three popular Bitcoin miners (https://www.bitcoinmining.com/bitcoin-mining-hardware/). 


The number of instances of mining malware has increased significantly, to 1.65 million victims this year, according to one 
report, (https://securelist.com/miners-on-the-rise/81706/) That's a lot of slowing machines and increased electricity costs. For 
individual users, the slowness and increased electricity bill may be trivial, and go unnoticed for a time. For businesses with 
hundreds or thousands of machines, however, the cost increase can be substantial. 

The increased interest in illegally mining or stealing cryptocurrencies correlates easily with the increased value of these 
currencies. One Bitcoin (BTC) was recently worth more than $7,500, up from around $3,000 a few weeks ago. Even 
considering an earlier decline in value, Bitcoin has been trending upward for years. This upswing in value and the recent 
adoption of Bitcoin in Japan and South Korea as a legal tender (https://cointelegraph.com/news/japan-officially-recognizes- 
bitcoin-and-digital-currencies-as-money) have increased the demand for acquiring Bitcoin and altcoins. In September 
cybercriminals stole $63,000 (https://blog.eset.ie/2017/09/28/money-making-machine-monero-mining-malware/) worth of 
cryptocurrency in about three months by taking advantage (https://thehackernews.com/2017/09/windows-monero- 
miners.html) of a flaw in Microsoft Windows Internet Information Services. 
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The price of Bitcoin since 2010. Source: CoinDesk. (https://www.coindesk.com/price/) 

Initial coin offerings (https://en.wikipedia.org/wiki/lnitial_coin_offeringKICOs) have also contributed to this gold rush. ICOs are 
similar to IPOs but instead of issuing to investors shares of a new company, the investors are given cryptocurrency in the 
hopes a new company will be successful and result in a higher value for their digital coins. 
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During the last few years we have seen an increase in innovation by malware authors to infiltrate this space, resulting in 
malware that both mines or steals coins and spans various and platforms. Let's break down some of the tools and 
techniques in the world of crypto-mining/-stealing malware that has arisen. 

• NightMiner 

• Adylkuzz 

• EternalMiner 

• MulDrop.14 

• ELF Linux/Mirai 

• OSX/Miner-D 

• Dridex 

• Trickbot 

• Jimmy Nukebot 

• HawkEye 

• Cerber 

• Web Mining 

NightMiner 

NightMiner mining malware was first seen in the wild in March 2015 and has been used to mine the Monero cryptocurrency. 
Some cybercriminals have turned to Monero due to its built-in security features and lower cost to mine. For example, 

Monero by default supports many blockchain (https://securingtomorrow.mcafee.com/mcafee-labs/staying-anonymous-on- 
the-blockchain-concerns-and-techniques/) obfuscation and anonymity technologies such as stealth addresses and crypto 
notes. This malicious software has been discovered on network attached storage (NAS) devices and takes advantage of those 
devices' powerful CPU and GPU resources. The mining software can stay under the radar on these devices because most 
administrators fail to install antimalware software on NAS systems. Sophos released an extensive report 
(https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Cryptomining-malware-on-NAS-servers.pdf) 
discussing this malware. 

Adylkuzz 

Adylkuzz (https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks- 
via-eternalblue-doublepulsar) is more recent, coming on the scene in this year. The mining malware is similar to the well- 
known ransomware WannaCry in that it exploits two flaws in Microsoft's server message block (SMB) that are known as 
EternalBlue and DoublePulsar. Both defects were leaked by the Shadow Brokers hacking group and are believed to be the 
work of the U.S. National Security Agency's Equation Group. Adylkuzz is unique in that it will block all access to TCP Port 445, 
preventing other malware from taking advantage of the SMB flaws. 

fb > USE Eternalblue 

[!] Entering Plugin Context :: Eternalblue 

[*] Applying Global Variables 

[+] Set NetworkTimeout => 60 

[+] Set TargetIp => 192*168.206.147 


Code snippet from the Eternal Blue Metasploit module. 

EternalMiner 

Linux systems are not immune. EternalMiner (https://www.bleepingcomputer.com/news/security/linux-servers-hijacked-to- 
mine-cryptocurrency-via-sambacry-vulnerability/) took advantage of a vulnerability in Samba to infect as many systems as 
possible. The flaw allowed Samba servers to load and execute code remotely after a shared library was uploaded by a 
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malicious client. A patch to address the seven-year-old flaw was released in May, but cybercriminals made thousands of 
dollars before network administrators could update their servers. 

Linux.MulDrop.14 

Researchers have seen instances of Raspberry Pi—a small, versatile single-board computer— attacked by the crypto mining 
malware Linux.MulDrop.14. (http://www.zdnet.com/article/linux-malware-enslaves-raspberry-pi-to-mine-cryptocurrency/) 

The malicious software does not attempt to mine the CPU-intensive Bitcoin but, like NightMiner, focuses on Monero. This 
action shows a level of innovation as cybercriminals expand their scope to acquire cryptocurrencies across additional 
platforms. 

ELF Linux/Mirai 

Cryptocurrency malware mining has been discovered in connection with the Mirai botnet. ELF Linux/Mirai continues to evolve 
and has added a Bitcoin miner slave module, allowing the malware to mine cryptocurrency from thousands of infected loT 
devices, according to a report (https://securityintelligence.com/mirai-iot-botnet-mining-for-bitcoins/) from IBM X-Force. Mirai, 
(https://en.wikipedia.org/wiki/MiraiJmalware)) discovered in August 2016, infected loT devices and has also been responsible 
for several DDoS attacks, including against DNS provider Dyn and Liberia's Internet infrastructure. 
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Source: McAfee Labs Threats Report, March 20/7(https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-mar- 
2017.pdf) 
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OSX/Miner-D 

Although Apple's Mac OS has not been heavily targeted, it is also not immune. OSX/Miner-D both steals Bitcoins and mines a 
system. This malware has been around since 2011 and is the second most common malware 

(https://www.bleepingcomputer.com/news/security/the-second-most-popular-mac-malware-is-a-cryptocurrency-miner/) on 
the Mac. The malware, which is inserted into legitimate apps uploaded to torrent sites, made a surge early this year and 
resulted in more than 20% of all detections in May. We expect to soon see new variants of this malicious software. 

Dridex 

Cryptocurrency mining has caught the attention of the Dridex (https://blogs.forcepoint.com/security-labs/dridex-shadows- 
blacklisting-stealth-and-crypto-currency) Trojan's developers. Dridex is a banking Trojan that steals credentials to access 
accounts. Samples of this malware were discovered in 2016 that find and steal cryptocurrency wallets. 

Dridex is sophisticated malware. The developers behind this malware continue to evolve its code to avoid detection, increase 
infections, distribute ransomware, steal banking and personal information, and now pilfer Bitcoins. 

Trickbot 

The cybercriminals behind Trickbot (https://blogs.forcepoint.com/security-labs/trickbot-goes-after-cryptocurrency) have 
added the capability to steal cryptocurrency. Trickbot has been around for years and has recently added coinbase.com as 
one of its attack vectors. Once a system is infected, the malware monitors the victim's browsing habits and injects a fake login 
page whenever the user visits coinbase.com. The fake page allows criminals to steal the login information, resulting in the 
theft cryptocurrencies including Bitcoin, Ethereum, and Litecoin as well as other digital assets. 

Jimmy Nukebot 

Another Trojan making headlines is Jimmy Nukebot. (https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/) 
The authors behind the malicious software used code from the NeutrinoPOS banker Trojan. This variant, detected by McAfee 
as RDN/PWS-Banker, does not steal bank card data as before but installs various modules that contain a payload. One 
payload mines Monero. The digital wallet associated with the miner has received only about $45, which may indicate the 
malware authors either changed wallets or have stopped mining, according to Kaspersky. 
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McAfee Labs detections for some variants of mining malware. Peek detections are the highest number of detection 
occurrences on a single date in 2017. 

HawkEye 

The credential harvesting malware HawkEye, (https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware- 
distributed-in-phishing-campaign.html) which surfaced in 2014, has added Bitcoin wallet stealing to its arsenal. The malware 
is well known for stealing a variety of credentials from web browsers and mail clients. Recent samples show HawkEye 
targeting the file wallet.dat, which holds the user's Bitcoin private keys along with other transaction information. 

Cerber 

Developers behind most ransomware prefer the ransoms be paid using cryptocurrency. In the recent case of Cerber, 
(https://securingtomorrow.mcafee.com/business/cerber-ransomware-now-capable-stealing-browser-passwords-bitcoin- 
wallet-data/) however, the actors have resorted to stealing the coins from the wallet before encrypting the system. Cerber is 
one of the most prolific ransomware families, infecting millions of computers worldwide. The ransomware has seen a decline 
in the past few months but continues to wreak havoc. 
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The number of Cerber samples detected during the last 90 days. Source: Ransomware Tracker. 
(https://ransomwaretracker.abuse.ch/) 

Web Mining 

One new trend is a technique that mines cryptocurrency when visitors connect to websites. 

(https://www.bleepingcomputer.com/news/security/a-new-player-joins-coinhive-on-the-browser-cryptojacking-scene/) 
Coinhive and Crypto-Loot, as well as others, sell Monero mining software that allows the buyer to insert JavaScript into 
websites. The JavaScript mines cryptocurrency by using the site visitor's CPU power. The service has been a hot topic since it 
first appeared because the software can be used maliciously to allow cybercriminals to mine cryptocurrency without users 
consent. A few legitimate sites, including The Pirate Bay and a major television company, have recently been found using the 
software to mine Monero. The entertainment conglomerate has removed the code but it remains unclear whether hackers 
injected the software or if the company included the code to make a few extra dollars while unsuspecting users were 
watching their favorite shows. 


The Pirate Bay has also removed the mining code and released a statement claiming the 24-hour test was designed to see if 
the popular file-sharing site could use the miner to generate revenue and potentially replace ads. A few other sites, including 
Iridium and PublicHD, are using the JavaScript code openly: Both sites inform their users of the code and in the case of 
Iridium allow them to opt out. The unsuspected use of web miners has caused some websites to go dark. Internet provider 
Cloudflare began shutting down (https://www.coindesk.com/cloudflare-suspends-website-using-cryptocurrency-miner- 
malware/) domains after the company discovered Coinhive's software mining Monero from visitors to torrent site 
ProxyBunker. The domains, which were shuttered for not allowing users to opt out, were reopened after removing the 
mining code. 

options : { 
miner: { 

id: "miner", 
section : "donate" , 
sub_section: "miner", 
type: "checkbox", 
value: false, 
il8n : { 

label: "Contribute using your computer" 

} 

>, 

miner_threads : { 

id : "miner_threads" , 
section: "donate", 
sub_section: "miner", 
type: "custom", 

value: window.navigator . hardwareConcurrency ? Math. round (window.navigator. hardwareConcurrency / 2) : 1, 

il8n: { 

thread number: "Threads: " 


JavaScript code from Iridium's Google Chrome miner extension. 
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Crypto mining is not new, but it has gained attention due to the popularity of cryptocurrency, ICOs, and the overall value 
increase of alt coins. As the adoption rate for cryptocurrency grows, we can expect cybercriminals to increasingly illegally 
mine or steal cryptocurrency. They can exploit online funds to shop on the dark web or in exchange for real currency. 
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A timeline of leading cryptocurrency miners. 
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If the attack uses a binary we classify has unsafe, our products will stop it. To be more clear, if we've seen it before (or we haven't, 
but it breaks our rules), we stop it. Beyond that, I'd need some additional details to give you a better answer (for example, your 
product configuration might have been changed for something else in your environment, changing how our product deals with 
certain threats). If we can answer more questions for you, or you'd like to try a free trial, check out 
https://www.mcafee.com/us/products.aspx. 
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